CVE-2026-27437
Received Received - Intake
Deserialization Vulnerability in Tennis Club Plugin Enables Object Injection

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in ThemeREX Tennis Club tennis-sportclub allows Object Injection.This issue affects Tennis Club: from n/a through <= 1.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27437
EUVD
EUVD-2026-9648
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack tennis_club to 1.2.3 (inc)
themerex tennis_club to 1.2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Users are strongly advised to apply Patchstack’s mitigation rule to block exploitation attempts until an official patch becomes available.

Since no official patch has been released for this vulnerability in Tennis Club Theme versions up to 1.2.3, applying the mitigation rule is the immediate recommended step.

Executive Summary

CVE-2026-27437 is a high-severity PHP Object Injection vulnerability in the WordPress Tennis Club Theme versions up to and including 1.2.3.

This vulnerability allows unauthenticated attackers to inject malicious PHP objects, which can lead to serious security issues such as remote code execution, SQL injection, path traversal, and denial of service.

The vulnerability is due to deserialization of untrusted data, enabling attackers to exploit the theme without needing any privileges.

Impact Analysis

This vulnerability can have severe impacts including remote code execution, allowing attackers to run arbitrary code on the affected system.

It can also lead to SQL injection, which may compromise the database, path traversal that can expose sensitive files, and denial of service attacks that disrupt the availability of the website.

Since no privileges are required to exploit this vulnerability, any attacker can potentially take control of the affected WordPress site.

Compliance Impact

I don't know

Detection Guidance

There is no specific information provided about commands or methods to detect this vulnerability on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart